[messaging] Group messaging consistency under resource constraints
infinity0 at pwned.gg
Mon Oct 20 08:11:53 PDT 2014
On 10/10/14 23:09, Trevor Perrin wrote:
> On Fri, Oct 10, 2014 at 1:21 PM, Ximin Luo <infinity0 at pwned.gg> wrote:
>> On 10/10/14 21:06, Trevor Perrin wrote:
>>>  https://moderncrypto.org/mail-archive/messaging/2014/000372.html
>> This  doesn't achieve consistency. I tried to explain why both in its "next message in thread" and in the first post of this thread, but it looks like my warnings are falling on deaf ears; here is a more concrete example:
>> A: (1) Who wants ice cream? (last-message-seen: 0)
>> A: (2) Who wants to kill the president? (last-message-seen: 1) (sent to everyone, *except B*)
>> B: (3) No thanks... (last-message-seen: 2)
>> C: (4) Me! (last-message-seen: 3)
> Thanks for the concrete example.
> It would be great to have a list of cases like this so we could
> compare how different proposals handle them.
> In this case, with Moxie's proposal, C is warned about the missing
> message before saying "Yes!". And anyone reading the (obviously
> ambiguous) transcript could long-click on C's "Yes!" and see what it's
> responding to.
> Maybe that's good enough, maybe it's not. A better taxonomy of
> possible issues and proposals would help make these comparisons.
Here is another example of an attack scenario. Hopefully, this demonstrates more obviously, that the  scheme proposed makes certain consistency attacks invisible to some of the victims:
Alice: (1) So let's discuss Dual EC DRBG (last-message-seen: 0) # to everyone except David
Alice: (1A) So let's discuss Fortuna (last-message-seen: 0) # to David only
Bob: (2) Do you think this RNG is suitable, David? (last-message-seen: 1) # to everyone
# David is feeling lazy today and doesn't want to wait for the warning to disappear nor to slow down the conversation.
# Besides, nothing bad happened with the last 37 warnings. Also, Bob is a totally trustworthy friend, right?
David: (3) Yeah it's suitable, let's go with that. (last-message-seen: 2) # to everyone
Alice: (4) OK, sounds good. Team, you heard our advisor. Make it so! (last-message-seen: 3)
Everyone else except David sees 1<-2<-3<-4 with no warnings. David unilaterally decided the warning wasn't important enough to bother acting upon, resulting in everyone being screwed.
That is, if you want consistency under the  scheme above, it is not enough for *you yourself* to react properly to warnings, but you have to rely on *other people* to react appropriately too.
If the user cannot react out-of-band to the warning, then (to guarantee consistency) he must wait until the warning subsides and he has "seen all messages" before a certain message. However, this is not guaranteed to ever happen - for example, if someone sends messages 1, 2, 3, 4, 5,..., and the receiver gets them in this order:
1, 3, 5, 2, 7, 4, 9, 6,...
then at no point in the sequence is the user "missing no messages". The above sequence is (1, 3, 5, 7, ...) offset-and-interleaved with (2, 4, 6, ...), but one can imagine other sequences that have the same property.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the Messaging